Anti-Corruption ISO standard measures: the first nine months and next steps
Revised by Bachir El Nakib, Senior Consultant Compliance Alert (LLC)
In October 2016, the International Organisation for Standardisation (ISO), a worldwide federation of national standards bodies, released a standard for anti-bribery management systems – ISO 37001. The launch of the ISO standard was the culmination of years of consultation between governments, major corporations, and NGOs. The new standard sets forth requirements for such anti-bribery programs, as well as detailed guidance for establishing, implementing, maintaining, reviewing and improving it. This article breaks down how the ISO standard has fared in its first nine months, and identifies straightforward ways in which compliance officers can use the ISO standards to bolster their existing anti-corruption programs.
Companies and governments have begun to embrace ISO 37001, though it remains too early to tell how far this initial enthusiasm will go. Microsoft, the third most valuable company in the world, announced in April that it would be the first U.S. firm to seek ISO certification for its corporate anti-corruption program. Deputy General Counsel David Howard praised the standard for "creat[ing] a common terminology and provid[ing] an objective yardstick for organizations to measure their own program, as well as the programs of the partners in their value chain." Walmart followed suit in May, and the Arkansas-based retailer’s top compliance officer told a conference that he had "begun looking for a company that would certify us." The governments of Singapore, the United Arab Emirates, Peru, and the Philippines have spearheaded programs to accredit private third-party bodies that can certify ISO compliance, and ISO certification could eventually become mandatory for contractors seeking to do business with these governments. The UAE scheme is already up and running, and Robert Bosch Middle East became the first company to acquire ISO certification in Abu Dhabi earlier in June.
On the other hand, neither the Department of Justice (DOJ) nor the Securities and Exchange Commission (SEC), the two U.S. government bodies tasked with enforcing the Foreign U.S. Foreign Corrupt Practice Act (FCPA), has made a peep about ISO 37001 since October. Although detailed remedial measures for internal compliance programs are common in FCPA settlement agreements, neither regulator has thus far required ISO 37001 certification as a condition of ending an investigation. In February, the DOJ released guidance on the "Evaluation of Corporate Compliance Programs," which described the factors prosecutors consider when conducting investigations and negotiating settlements—ISO 37001 did not earn a mention there either. Lead multinational firms in the finance sector, have also yet to indicate whether ISO 37001 implementation is in their future.
Even if U.S. enforcement officials are slow to warm to ISO 37001, compliance officers should not underestimate how valuable a resource the new standards can be when implementing and revamping internal anti-corruption policies. ISO 37001 is currently one of the most detailed resources available for companies to follow when developing or benchmarking an anti-bribery management system. Accordingly, the ISO standard provides a useful frame of reference for companies developing management tools such as key performance indicators (KPIs) and tracking metrics to address anti-corruption compliance. Several portions of the ISO standards, including sections that address firm messaging, employee training, and employment due diligence, are particularly well-suited for adaptation into KPIs.
Firm Leadership and messaging
Section 5 of the ISO standard emphasizes the importance of company leadership with regard to an anti-bribery management system. Company leadership—directors, executives, and top compliance officials—plays two critical roles: The first is establishing, maintaining, and updating the anti-corruption program itself; the second is continuously emphasizing a "culture of compliance" that will permeate all levels of the firm.
"Top management" must, per Section 5.1, ensure the adoption and continuous review of an anti-bribery management system. Section 5.2 outlines what a qualifying compliance policy should contain, and requires that the policy should be documented and accessible in "appropriate language within the organization and to business associates who pose more than a low risk of bribery."
Based on the ISO standard, a reasonable KPI for this first "leadership component" would be: "Relevant and applicable company processes exist in key areas, to detect and prevent bribery, that are regularly reviewed." The components relevant to measuring achievement of this KPI could then be:
- that the company has an anti-corruption policy in accordance with Section 5.2 of ISO 37001 and that policy was reviewed in the past 12 months;
- procedures or policies have been developed in response to identified company risks;
- those procedures or policies encompass the requirements of ISO 37001; and
- the procedures and policies are translated into local languages and are accessible to employees and business associates.
The second role of leadership is to create a "culture of compliance," and Section 5.1.2 of the ISO standards urges companies to "demonstrate leadership and commitment with respect to the anti-bribery management system." Section 7.4.1 specifically endorses the idea of an organization creating a strategy around its internal messaging.
Compliance officers could institute a messaging-related KPI, such as, "a clear anti-corruption commitment is demonstrated by headquarters and local leaders and accepted by supervisors and employees." Such a KPI might entail developing a communications plan surrounding anti-corruption compliance based on the standard, then developing metrics to determine employees’ receptiveness to such messages. Such metrics could include:
· Conducting random survey of employees, and designing metrics that measure how many respondents answered in a certain way.
· Tracking the number of messages and reminders sent by global and local management. The metrics could include a goal of sending at least two annual messages from top senior executives and two from local management in each relevant geographic area.
Section 7.3 of the ISO standard requires that an organization "provide adequate and appropriate anti-bribery awareness and training to personnel" on a regular basis "as appropriate to their roles, the risks of bribery to which they are exposed and any changing circumstances." A robust employee training program is the bedrock of any compliance policy, and US regulators have suggested that the existence of such a program can be a crucial mitigating factor during FCPA investigations. Fortunately, this is an area that lends itself to a number of measurable, quantifiable standards.
To comport with the ISO training standard, a company could define its KPI as "creating a training plan in line with the standard’s requirements, delivering trainings to a threshold percentage covered by the training plan, and having a certain percentage of employees understand" the company’s anti-corruption policy. Some metrics through which a company can measure its training program include:
· Identifying a threshold for the number of employees trained (e.g. 75 percent of the workforce).
· A company can also incorporate the ISO’s requirement that the training be tailored appropriately to an employee’s position by creating a metric that all managers in a certain region be provided a specialized training, or that all management above a certain level must receive in-person training.
· In order to show that the training is not just robust but effective, a company can test its employees at various points following the training to ensure that a necessary amount of information about the anti-corruption policy is retained.
A KPI that incorporates such metrics would allow a company to monitor the effectiveness of its program, fulfill its obligations under the ISO standard, and, ideally, reduce the frequency of future violations of the anti-corruption policy.
Employment due diligence and screening
Another critical component of an anti-corruption policy is ensuring that there is rigorous due diligence of new hires prior to the beginning of their employment. Annex 8.1 of the ISO standard states that an organization’s due diligence could include "taking reasonable steps to verify that the organization is not offering employment to prospective personnel in return for their having, in previous employment improperly favoured the organization" or "verifying that the purpose of offering employment to prospective personnel is not to secure improper favourable treatment for the organization." This is a logical place to utilize another KPI: Not only have US regulators recently stepped up scrutiny of the hiring of relatives of high-powered officials in recent FCPA actions, but hiring practices naturally lend themselves to metrics.
A KPI for this issue could be "relationships with government officials are identified for potential and current employees and interns, and for politically exposed people (PEPs) due diligence is conducted and controls are instituted in order to avoid corruption risks." The component metrics might include:
- Above 90 percent of applicants and employees complete a questionnaire designed to identify government affiliations;
- Legal or compliance performs due diligence on at least 90 percent of applicants and employees identified as PEPs; and
- PEPs who are hired or who are in the workforce have controls instituted (e.g., prohibition on contact with government entity that previously employed PEP).
A company could also choose to include within the KPI an effectiveness metric, focusing on program testing or auditing as well to make certain that the screening process was working properly.
As the ISO 37001 continues to gain traction with regulators worldwide, compliance professionals should draw upon the new standards when seeking to bolster internal anti-corruption policies.